88% of IT Admins Would Steal Passwords If Laid Off 448
narramissic writes "According to identity management firm Cyber-Ark's annual 'Trust, Security & Passwords' survey, a whopping 88% of IT administrators would steal CEO passwords, customer database, research and development plans, financial reports, M&A plans and the company's list of privileged passwords if they were suddenly laid off. The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details and people's personal emails."
Not reasonable (Score:5, Interesting)
I think the operative word is 'suddenly'... (Score:3, Interesting)
Typically, (at least in companies with some sense) the decision to remove an IT worker is made in advance, with steps taken to drastically reduce that individual's ability to do damage.
Rarely, is an IT worker told about their demise until steps are in place to have someone watch that person pack their belongings, upon which they are escorted to the door. They would be lucky to steal their favorite coffee mug is such cases.
Stupid is the company that gives notice to someone with keys to the kingdom, except in cases where the person is needed to stick around to train their own replacement.
But then, anyone who would agree to do that without MASSIVE compensation, is a pussy.
That said, I do know a guy who kept a series of special GPOs at the ready when he figured he was on his way out of HP back in the day...
Re:Not reasonable (Score:2, Interesting)
in most cases IT has root- and/or physical access to the servers which means your password is merely gonna hold any determined sysadmin back for a few minutes.
Unless you're using additional measures (certain methods of encryption for example) the "security measures" you desribe arent worth a thing
It depends on your definition of "stealing" (Score:3, Interesting)
When I am leaving a job, I'm not actively concerned in making sure every piece of knowledge about my tenure is forgotten and every napkin I may have scribbled something on is returned or destroyed, and every backup I've made is destroyed because I use a lot of the scripts/docs/etc... as part of my new job hiring interview. Conversely, most firms I've worked at haven't changed their admin passwords or door codes when I left, so they don't seem particularly concerned either. (Which may or may not be normative.)
I would say that the time when most IT folks are going out of their way to collect information is if they feel like they're being setup for the fall guy. At my last gig my project lead liked to broadcast the whole group when a server went down (blaming me) so I was maticulous to keep a copy of every log, logon time, email from her, so when I was accused, I could defend myself to our supervisor. If you're being laid off for some straight-up BS; and you're acute enough to see it coming, you better bet I'm going to collect as much as I can to clear my name. Beit to that firm or my new employer should I get a bad reference.
Betray the betrayer? (Score:5, Interesting)
When someone is laid of for no apparent reason, they often feel hurt and betrayed. A natural reaction is that the trust between them has already been destroyed.
At one company I was with, a sysadmin was on a conference call, and had his hands full when the call ended. The CEO never hung up the phone, and started talking to his assistant about people loosing their jobs and how much severance would be paid. The sysadmin, who probably should have hung up when he was first able to, couldn't resist listening for a short time. After a couple of minutes, the CEO finally realized that his phone was still on, and hung up the line. By that time, the sysadmin knew that several people would be laid off soon, but not how soon, or which people.
He informed a couple of his friends that the company was in worse shape than he had realized, and discretely began updating his resume. Within a month, the company was bought out and closed down by another company and everyone lost their jobs. He was asked to stay on as part of the transition team and that the new company would pay him, but after a couple of days, it was clear that he had been working for free and the new company was not going to honor the agreement.
At that time, he still had sysadmin access, and began to look through emails of the former employees. Some, including the CEO, were still getting and sending emails through web access through the old company server. He learned that although the board of directors did not want to spend the money to make sure that the fired employees could still have health insurance for a couple of months, they were willing to give the former CEO $25,000 for his efforts.
I have always said that a good sysadmin knows all the secrets of a company, but a great sysadmin knows when not to look. In this case, was the sysadmin justified in looking after he had been promised to be paid and then told he was not being paid? (Yes, his access should have been cut off, but he was the one who would have had to cut himself off and he was never told to do so.)
Although this situation may be unique, I think that many sysadmins may feel the same way. Once they are betrayed, they no longer feel the need to stay loyal to those that betray them.
Not Exactly News To Me (Score:2, Interesting)
I've watched three IT admins get escorted out of the building in the past 5 years due to my sending of emails carefully salted with bogus salacious information about our department. If the fake information doesn't make it to a certain vice-president, then their job is safe. If it does, then there's only one person who could have known it (besides me of course), and out the door they go.
This little collateral duty of mine has been quite lucrative - I receive a percentage of whatever money the company saved by firing the dirtbag admins who couldn't keep their noses out of other people's data. And if they were willing to pass on what essentially is inter-office gossip, then who is to say that they wouldn't be just as willing to pass our trade secrets to outsiders?
Re:a survey (Score:3, Interesting)
I dunno..
I've worked at some companies that were really strange. In one particular place the CTO had some interesting files in his share. Now I'm a not a prude by any means, but this guys share had some weird sh*t. At least my p0rn is wholesome (yeah yeah, one man's wholesome is another man's bestiality... baaaah and moo to you). It's tough not to notice when the guys fileshare took up close to 80G out of the 100G allocated to the entire company (this was the days before 1TB drives were common).
They guy was also an ass though. When I left I made sure that I held onto the offsite mail spool backup because he wasn't above writing a check and then stopping it at the bank. I still have that backup, btw. Hi Mark.
In every other place though, I could not care any less about what they kept in their mail spool or fileserver. If their raccoon and chihuahua p0rn and watermelon fetish is clogging up the backups I'll send them an automated email telling them to clean up, but that's it. None of my business.
Re:Not reasonable (Score:2, Interesting)
Infact, when people do not care about security discovering their password would require at most a superficial knowledge of the individual.
As soon as someone is aware of the risks however, it becomes practically impossible to guess a password from what you know about him because the brain can do pretty contorted reasonings (a password is seldom random especially if you want to remember it instead of writing it down) which is obscure to other people. That's security through obscurity.
Re:a survey (Score:5, Interesting)
If you are that good as a IT admin (or any other position, for that matter), if you are that good, they will have already done more damage to the company by firing you, that you could do deliberately back to them.
Recruiters estimate that simply by firing one person and hiring another, a company will lose around $120,000 in productivity alone; HR and accounting paperwork to fire that person, redundancy payments for several months in advance, along with recruiters fees to find someone new, time taken by existing employees to interview possible candidates, more HR and accounting paperwork to hire the person if there is a match, and time taken by the new employee to get up to speed. Not even considering that other people may be waiting for various tasks to be completed by the person in that position.
Re:a survey (Score:5, Interesting)
I agree, accidently deleting a huge database is better. go in, yank 1 cable from the back of the server and plug it back in from one of the power vaults to the Raid 50 and the raid will eat it's self over the course of 2-3 days. Without any admins familiar with it, they will not get the pile of raid failure warnings until most of the DV and files are corrupt. Bonus points if it takes 2-3 weeks and all the backups are corrupted as well.
Impossible to trace or prove anything was intentional, and it screws them good.
There are at least 80 other ways to cause gradual data corruption that without familiar IT staff on hand will grow out of control by the time someone finds it.
Screw stealing passwords or data, just start a chain of unfortunate events.
MY favorite is to make some very restrictive rules in the company firewall and then save it, revert to the old rules right before you're laid off. the date stamp will be from months previous and confuse anyone tromping around in it.
Skewed Statistics (Score:2, Interesting)
Re:The other 22%... (Score:2, Interesting)
Amen to this. People seem to get all wide-eyed over getting root access and such. Personally, I don't want any more access than is necessary to do my job so I can earn my paycheck and go home. You want to take away some access from me. Fine. Here is how I can do my job with these limits. You decide.
Once when I was brand new in the IT field I found the salary information for the company I was working for. Well, my curiosity got the best of me. It was quite anti-climactic and was probably the event that I need to realize that I really don't care about most of what is out there. 15 years later I'm the IT director of a company with root access to every router, database and server. I didn't care what anyone made. I had years to look at any information in the payroll system or anywhere else and didn't care. On the day that I left (not on the best terms) the guy who took my place called me at home and asked me to fix something on one of the routers that evening. I did using the same password I'd used the day before. I never tried again to see if worked or had been changed. It's been years. I still know it, it may still work and I still don't care.
On a few occasions I was asked by those with authority to do so to examine a some systems to see if there was any evidence of criminal activity. During that time I saw stuff that the system's users might not want me to know and uncovered some unethical (but not illegal) activity. I told those in authority only the information they had asked me for, left the rest of it alone and didn't tell anyone else about it. Again, I don't care. Want me to design your database or set up your server room? OK. Want me to get involved in high school office politics and get me on you office "team?" Stop wasting my time and go hump someone else's leg.
I just want to do job I'm assigned and go home.
MAC (Score:2, Interesting)
Re:Not reasonable (Score:5, Interesting)
Sounds like an unreasonable estimate to me. If people were that vindicative and dishonest then IT (and similar) systems wouldn't ever keep working.
Why is Parent comment not modded "Funny"?
A) I don't know if I would have guessed these numbers exactly, but it certainly shouldn't be a totaly surprise to anyone who's worked in IT for any length of time. B) 300 is not even close to a statistically relevant sample size.
That said, the part that I think is interesting is that this corruption is more intense the higher you go in the corporate ladder. What makes that funny upon interesting is that I think the C-level folks may think they're the only ones who do this - this article might actually be news to them. Now that is funny!
Layoffs, by the same token, in practice are generally every bit as corrupt, vindictive (in who gets selected to go) and dishonest (they're usually to boost quarterly profits). Businesses still work (relatively speaking anyway) in spite of that as well.
I'd say this article and the study itself are slanted against workers.
-Matt
P.S. This is another POS Computerworld article - Computerworld UK this time. IMHO, anyway.
Re:a survey (Score:3, Interesting)
Snagging the CEO's password isn't about access to the network.
It's about impersonating the CEO.
E.g. Go to some underfunded public library far from your home, install the VPN client from the disk you have laying about at home... whoala... You can send,receive,reply to,and delete email as the CEO. Imagine the damage you could do. Likely the best tactic would be to not "invent" anything, but just forwarded well chosen items from his Sent Items folder to the right (aka wrong) people.
And no I'm not a shady character. It's just good practice to think like the enemy.
Also, I agree the article seems like BS. Just look at the source.
This happened wehre i work (Score:1, Interesting)
And do what with them? (Score:1, Interesting)
I wouldn't go out of my way to steal the passwords, but I keep the passwords I use in a password database type application. I had copies of that database at home for work-at-home use.
I still have them from my previous employer, and have never used them, but I don't have any intention of getting rid of them either. You never know when they might be useful for non-malicious purposes.
My local export of the Subversion repository (mostly stuff I wrote) is also a useful reference on occasion.
Re:Might Be Reasonable (Score:5, Interesting)
I've been through a couple of layoffs. In one, the company was concerned about stealing, sabotage, and other vindictive behaviours. So they surprised everyone with two week severance packages and an escort out the door one morning. They brought in people at the butt crack of dawn to turn off every computer in the building. Later, "core" people started deserting the company, taking whatever they wanted with them.
In the other one, there was an announcement, something like, "The 20 people in this room are being laid off. Starting in two weeks we're going to lay off 4 people per week for 5 weeks. We expect you all to continue to do your jobs as well as you can *while* you look for work. Let your supervisor know of any scheduled interviews, they will be considered paid time off. As you find work report your start date so each week we can try to lay off people who already have new jobs."
The second layoff went without a hitch. The people laid off kept relations with the company, some came back later.
I know it's not the same as firing someone, but it does seem to me some companies treat laid off employees as if they've been fired.
As a former admin who was laid off... (Score:4, Interesting)
The last thing I wanted was to be in a position where someone hacked the systems and I got blamed because I "knew the passwords"....
I even handed over my personal notes on the network and had my boss shred the ones he didn't need before I left.
I can't believe there are that many admins who have that little respect for themselves that they'd be willing to steal passwords.
Internal privacy. (Score:1, Interesting)
"The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details and people's personal emails.""
A thought just occurred to me. Remember the Slashdot story awhile back about changing the nature of the information in such a way that only the absolute essentials would be released and it would be in a form that would protect the users privacy? I would think the same relationship would apply to an internal network. The admin would only have access to the essential information in a form that would protect internal privacy AND allow the admin to do his/her work.
Re:Not reasonable (Score:3, Interesting)
Really, Cause I was helping out a friends business that had a crappy d-link router.. Chose the cisco 508 router over the linksys. It was utter crap. Would randomly drop its wan connection, and take 10 minutes to reconnect. Tech support were idiots, and said it was the cable modem. Linksys router plugged in, setup in 5 minutes, and hasn't rebooted yet (its been 6 months!)
Most security threats are from within. (Score:2, Interesting)
As they say "most security threats are from within".
Just take the security of personal freedoms in the USA. Those in charge of the government at this time have stolen much freedom in the double speak name of freedom. Having passwords "stolen" or "remembered off site" is potentially just the same. Much damage could be inflicted upon companies depending on the range access that the admins have that are laid off. Identity theft can occur, etc...
Escorting people out is one way. I've been "let go" a number of times. Usually it's simply two weeks notice and all works out. Other times it's two hours and they have someone watching you the whole time and escorting you out with your two weeks severance. One time it was after I arrived home on a Friday night with a phone call and stuff sent to me via courier. It all depends upon their paranoia factors. Often the reasons are not even told to us. In many ways employees and even contractors and consultants are modern day indentured servants.
Of course finding out that the system admins stole passwords or used them afterwords generally means it was wise for the company to let them go as those kinds of admins are dishonest (maybe more honest than whom they used to work for but still).
Systems really are brittle with many ways to subvert them. Rather than subvert your past employers systems I'd recommend building your own path to financial independence so that you don't need to work for companies that have the power to fire you!
How not to threaten to fire... (Score:2, Interesting)
I spent four years working as a school sysadmin--one for an elementary school and three for a high school.
Unhappy with an incompetent and micromanaging elementary-school principal, I interviewed for the sysadmin job at another school. That principal called my principal to facilitate handing me over, and I subsequently received the third degree for being "disrespectful and underhanded", along with "I could say things about you to make sure you never work in the school district again." Said principal then twisted my new principal's arm enough to get me split part-time each between the two schools.
Fortunately, I got a post as the sysadmin for a high school--one full-time job instead of two part-timers.
After two years and two micromanaging, incompetent principals, the principal threatened to not reappoint me for a third year. Among other reasons, he received hearsay that I had applied for another job.
So what did I learn working for a public school district? Four years of long hours and low pay, three supervisors who shouldn't even have been working at McDonald's, and two threats to get rid of me for something legal I did while off the clock.
I didn't sabotage anything, but I could have. Thank God for my personal ethics. And they wonder why they can't hold onto IT staff...
Re:Not reasonable (Score:5, Interesting)
The odds of running into a malicious hacker when looking for technical help are nearly nil. Hackers simply don't work this way.
It's called Google, and hackers absolutely do work this way. I should know.
Let me tell you a little story.
I am a penetration tester by trade. I was tasked to look into a particular company's custom-built project-management app, which I had no prior knowledge of, access to, or even IP addresses for.
After a bit of googling, I came up with the names and email addresses of a few developers (some of whom no longer worked for the company). Googling those email addies, I found posts on various forums for MsSQL administration, ASP coding, and cisco routers. Within only a few minutes, I knew the hardware that the system was running, the firmware version on the router, the technology in use, and even had some code samples pulled straight from the app.
I located and compromised that application with no prior knowledge in less than an hour.
Having other people "check your work" is a GOOD thing and it's how IT security is actually improved in practice
Yes. Having Project Managers, your programming peers, and a security auditor with an NDA check your work is a good thing. Having some random guy on a forum check your work, and publish the results where they will be archived, index and searchable forever, is an extremely stupid idea.
I think all sysadmins should review this (Score:4, Interesting)
Re:I think all sysadmins should review this (Score:3, Interesting)
I agree with you on all points. I too have integrity and work by the lopsa code of ethics
Unfortunately, my unwillingness to violate that has kept me from advancing in my career. Someone else is always willing to forego ethics for the almighty dollar.
I am not.
Re:As a former admin who was laid off... (Score:4, Interesting)
That's what I did when I was walked out two weeks into my three week notice. I walked down to the office of the guy that was going to be handling my work until a replacement was found, disabled my VPN access and account in front of him and the Security manager, and then left the room as the administrator password was changed.
Even with those measures, I was still the first person blamed when one of the plant networks went down two weeks after I left (and on the first day of my new job of all times) due to a hardware failure (fiber-to-ethernet converter...and had I been allowed to have that last week, I would have been able to a few peopel to fill in for me...turning a two day outage into a five to ten minute outage).
Re:Not reasonable (Score:4, Interesting)
I've been on the other end of that kind of thing. I had a client, who had an employee they suspected of doing something shady. The employee had already given notice that she would be leaving the company, and was finishing up her two weeks or whatever. Anyway, the boss asked me to set up her e-mail account to forward a copy of all her e-mail to him, so he could essentially spy on her incoming e-mail without her knowing about it.
I weighed the moral implications briefly, and decided that since this is a company e-mail account intended to be used exclusively for business purposes, and there was a specific issue he wanted to investigate, I didn't have a serious moral objection. Not entirely comfortable, but he's the boss.
The trick was, their ISP was hosting their e-mail accounts. They didn't have a domain name, just individual mailboxes for a couple of people. So I called them up, explained that I was the company's IT guy, and asked them to set the mailbox in question to forward a copy of everything to the owner's e-mail address. I gave them the address to forward the mail to. They set it up without question.
Re:Not reasonable (Score:3, Interesting)